Reference & security

Configuration

The DNS resolver is configured at tunnel setup, not per-call. Pass the resolver in setupMixTunnel:

await setupMixTunnel({
  // Set the resolver explicitly. Defaults are 8.8.8.8:53 primary and
  // 1.1.1.1:53 fallback. Both fields take a `host:port` socket address;
  // fallbackDns is used if the primary fails to respond.
  primaryDns: '8.8.8.8:53',
  fallbackDns: '1.1.1.1:53',
});

The full options surface is documented under SetupMixTunnelOpts.

Security model

mix-dns follows the shared mixnet exit security model. The transport-specific exposure: at the IPR exit the query leaves as a plain UDP DNS request to the resolver, so the resolver sees the queried hostname and the IPR's IP, never yours. There is no TLS to terminate; the query and response are plaintext on the IPR-to-resolver leg.

⚠️

At the resolver the query is plaintext UDP. The resolver can read the hostname you are looking up, while the mixnet keeps it from learning who you are. Choosing 8.8.8.8 vs 1.1.1.1 only changes which third party sees the queries; both see them coming from the IPR. To remove the resolver from your trust set, pick one you already trust, or layer DNS-over-HTTPS via mixFetch to a DoH endpoint instead of mixDNS.

Get started API Index